SECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD
|
|
- Laurence Park
- 5 years ago
- Views:
Transcription
1 SECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD
2 ME, MYSELF, AND EMSEC Ø BSc. & MSc. Mathematics, TU Eindhoven Master thesis on multiparty pairing-based key exchange (supervisors: Tanja Lange, Bernhard Esslinger) Ø Ph.D. at CASED (Darmstadt) Thesis: Security aspects of Distance-Bounding Protocols (supervisor: Marc Fischlin) Ø Post-doc at IRISA (Rennes) 13-14: Privacy & Distance Bounding (CIDRE) 14-15: Privacy in geolocation (CIDRE/CAPPRIS) 15-16: TLS/SSL (EMSEC)
3 EMSEC Ø IRISA research team Founded 2014 Led by: Pierre-Alain Fouque (UR1) & Gildas Avoine (INSA) As of Sept. 2015: 5 permanents: 2 UR1, 2 INSA, 1 CNRS Ø Topics: Embedded Security and Cryptography Models & Proofs Attacks on Implementation s Design & Attacks Building blocks Cryptanalysis Real-World ES
4 WHAT I DO Ø Distance-Bounding Protocols Security framework [DFKO11, FO12, FO13b], Protocol assessment/comparison [FO13a, MOV14] Privacy-preserving DB [HPO13,GOR14, MOV14] Protocol with Secret Sharing [GKL+14] Implementations [GLO15] Ø Authenticated Key-Exchange OPACITY [DFG+13] TLS 1.3 [KMO+15], TLS 1.2&1.3 eprint version AKA [AFM+15, FMO+15] (submissions)
5 WHAT I DO (II) Ø Other primitives Signatures of knowledge [FO11] Redactable signatures for tree data [BBD+10] Anonymous PKE [KMO+13] Private asymmetric fingerprinting [FGLO14] Ø Projects ANR LYRICS [finished mid 14] CAPPRIS (Inria) [ongoing]
6 THIS TALK Ø Authenticated Key Exchange Unilateral/Mutual Authentication Elegant Desired Properties Privacy in Authentication Ø The AKA Protocol Description Security (intuition) Ø AKA and Privacy The case of the Hopeless Task Ugly
7 PART II AUTHENTICATED KEY EXCHANGE
8 AUTHENTICATED KEY-EXCHANGE Ø Allows two parties to communicate securely Peer-to-Peer or Server-Client Examples: TLS/SSL ( Ø Two steps: Compute session-specific keys (handshake) Use keys for secure communication (symmetric AE)
9 AKE WITH UNILATERAL AUTHENTICATION Ø Usually the case for Server-Client AKE Anybody can talk to the server Most common TLS mode Secure channel server/client or adv/server
10 AKE WITH MUTUAL AUTHENTICATION Ø Sometimes server-client, mostly peer-to-peer Can also be achieved by unilateral authentication + password-based authentication in secure channel [KMO +15] Client and server confirm partner s identities
11 AKE SECURITY PROPERTIES (UNILATERAL) Ø Key Secrecy [BR93], [BPR00], [CK01] : Adversary s goal: distinguishing the keys of an honest, fresh session from random keys of same length Rules of game: adaptive party corruptions, keyreveal, concurrent sessions and interactions Symmetric Key Restriction: no terminal corruptions! Ø Client-impersonation resistance Adversary s goal: impersonate client in fresh authentication session Rules of game: adaptive party corruptions, keyreveal, concurrent sessions and interactions, no relays!
12 TERMINAL IMPERSONATION Ø Terminal-impersonation resistance Adversary s goal: impersonate terminal in fresh authentication session Rules of game: adaptive party corruptions, keyreveal, concurrent sessions and interactions, no relays! Ø The eternal debate: first or second Should terminal authenticate first or second? VANET, MANET, RFID authentication: terminal first When optional, usually terminal second
13 PRIVACY IN AUTHENTICATION DrawClient Corrupt Ø Key Secrecy [JW00], [Vau07], [HPV+12] : Adversary s goal: find input bit to DrawProver Rules of game: DrawClient always takes same input bit, can corrupt*, interact, etc.
14 PRIVACY NOTIONS DrawClient Corrupt Ø Weak : no corruptions Ø Forward : once A corrupts, only corruptions (find past LoR connection) Ø Strong : no restrictions Ø Narrow/wide: know result of honest sessions
15 IMPOSSIBILITY RESULTS [Vau07]: Strong Privacy requires Key- Agreement [PV08]: Wide-Forward privacy with symmetric keys is impossible if all state is revealed*
16 PART III THE AKA PROTOCOL
17 PART III. 1 IDENTIFIERS & SECRETS
18 ELEGANT SYMMETRIC (A)KE [BR93] Ø Usual case for AKE: 2 parties, e.g. client/server Ø Share symmetric secret key sk Ø Sometimes public identifier UID Ø Elegant KE: use PRF keyed with sk AKE? No problem, use another PRF and switch! n S UID UID, n C UID Keys PRF sk ( n C, n S )
19 THE CASE OF 3G/4G/5G Ø Usual case for AKE: 2 parties, e.g. client/server Ø In 3G/4G/5G networks, 3 parties: Client: registering with (only one) operator client key and operator key stored* in SIM Operator: has list of clients, whose data he knows Local terminal: not always operator (think of roaming) can authenticate/communicate with client must not know keys
20 THE CASE OF 3G/4G/5G (CONTD.) Ø Some more restrictions: Connection Terminal Operator is expensive! Assumed to take place on secure channel Whenever PKI is used, in practice this means storing PKs and certificates in the phone No PKI for Terminals (too many of them)
21 1001 IDENTIFIERS Ø Client associated with secret keys: sk C, sk OP, st C All clients of the same operator share same sk OP Ø Other identifiers: Operator associates C with unique UID (permanent) Each terminal T i associates C with 4B TID (temporary), unique per terminal, updated per session sk C UID ntid TID TID UID AKA ntid TID UID sk O P
22 1001 IDENTIFIERS (CONTD.) Ø Each terminal has noncolliding list of TIDs Inter-terminal collisions possible No centralized DB of all TIDs Ø Each terminal is associa-ted with unique LAI Like ZIP code (TID, LAI) unique
23 1001 IDENTIFIERS (SUMMARY) Ø Multiple clients of same Operator LAI UID UID UID UID
24 1001 IDENTIFIERS (SUMMARY) Ø Multiple clients of same Operator LAI UID LAI UID UID UID
25 1001 IDENTIFIERS (SUMMARY) Ø TID and UID in protocol run, same LAI LAI TID, LAI UID TID, LAI Find TID UID UID UID AKA AKA UID ntid, LAI ntid TID
26 Possible (not likely) ntid=tid 1001 IDENTIFIERS (SUMMARY) Ø TID and UID in protocol run, different LAI TID, LAI LAI TID UID UID TID, LAI TID, LAI AKA LAI UID AKA UID UID ntid, LAI ntid
27 SECRET KEYS, SECRET STATE Ø Client associated with secret keys: sk C, sk OP, st C All clients of the same operator share same sk OP Ø State st C is a sequence number Terminal also has a state st OP C w.r.t. that client Used as shared randomness for authentication Initially randomly chosen for each client Then updated by update function (3 possibilities) Unlike sk OP, sk C, Terminals may know st C
28 PART III. 2 UNDERLYING CRYPTOGRAPHY
29 CRYPTOGRAPHIC FUNCTIONS Ø The seven dwarfs: F 1 : used by terminal, for terminal authentication F 1 input : used ( sk C by client, sk OP in, R, special Sqn OP C procedure, AMF) input ( sk C, sk OP, R, Sqn OP C, AMF) F 2 : used by client, for client authentication input ( sk C, sk OP, R) F 3, F 4 : used by both for session-key generation F 5 : used input by ( sk C terminal, sk OP for, R) blinding key input ( sk C, sk OP, R) F 5 : used by client for blinding key, special procedure input ( sk C, sk OP, R)
30 MILENAGE F 1 F 1 F 5 F 2 F 3 F 4 F 5
31 TUAK F 2 F 3 F 4 F 5, F 5
32 WHAT WE PROVED FOR TUAK Ø Single function G generalizing the seven functions TUAK: G TUAK is PRF assuming that the internal permutation of Keccak is PRF Stronger than each function is PRF! Ø Intuition of G TUAK : use handy truncation of output
33 WHAT WE PROVED FOR MILENAGE Ø Single function G generalizing the seven functions Becomes 2 functions never used together in same call MILENAGE: G MIL, G MIL are PRF assuming that the AES permutation is PRF Ø Intuition of G MILENAGE : use handy XOR-ing in all the right places
34 PART III. 3 THE PROTOCOL
35 AKA STRUCTURE (BASIC) LAI st C Check TAuth Initial Identificatio n Terminal Authenticatio n Get UID Handshak e AKA UID, st OP C st OP C Check: d( st C, Client st OP C ) δ Authenticatio Resynch n Procedure Process Notify OK Update st C Update st OP C
36 AKA STRUCTURE (REAL) LAI Update st C Update st C Initial Identificatio n AKA UID, st OP C Get UID AKA UID, Update[st OP C ] Handshakes AKA UID, st OP C AKA UID, Update[st OP C ] AKA UID, Update N [st OP C ] OK Update[ st OP C ] st OP C Update st OP C
37 INITIAL IDENTIFICATION LAI ID Request (TID, LAI ) UID Request Get UID UID Fundamental privacy flaw: UID easily obtainable! Security: even if UID replaced, still OK (authenreplaced, still OK (authentication automatically fails)
38 HANDSHAKE PREPARATION (1 BATCH) LAI UID Set Sqn=Update[ st OP C ] Generate R at random. Reveals Sqn R and everything Compute: MAC OP = F 1 ( sk C, sk OP, R, Sqn, AMF) MAC C = F 2 ( sk C, sk OP, R) AK= F 5 ( sk C, sk OP, R) Autn=(Sqn XOR AK) AMF MAC OP CK= F 3 ( sk C, sk OP, R) IK= F 4 ( sk C, sk OP, R)
39 TERMINAL/CLIENT AKE LAI Compute: AK= F 5 ( sk C, sk OP, R) Retrieve Sqn and check MAC OP R (Sqn XOR AK) AMF MAC OP If Sqn { st C,, st C +δ} Compute: Rsp= F 2 ( sk C, sk OP, R) CK= F 3 ( sk C, sk OP, R) IK= F 4 ( sk C, sk OP, R) Else Resynch! Rsp Check Rsp= MAC C
40 RESYNCH PROCEDURE LAI If MAC OP verifies, but Sqn out of range Compute: AK = F 5 ( sk C, sk OP, R) MAC C = F 1 ( sk C, sk OP, st C, AMF, R) ( st C XOR AK ) MAC C Compute: AK, get st C Check: out of range Check: MAC C Set st OP C = st C Start from there.
41 PART IV SECURITY OF AKA
42 CLEANER ABSTRACTION
43 SECURITY PROPERTIES Key Secrecy: Attained under assumption of pseudorandomness of G Advantage is linear in number of clients! Client Impersonation: Attained under assumption of pseudorandomness of G Advantage is linear in N C / 2 MAC C and N C / 2 sk C
44 OFFLINE RELAYS LAI Initial Identificatio n R (Sqn XOR AK) AMF MAC OP Get UID Initial Identificatio n R (Sqn XOR AK)
45 TERMINAL-IMPERSONATION RESISTANCE Ø Attained as long as there are no offline relays Thus weaker than Client Impersonation guarantee Terminal Impersonation: Attained under assump-tion of pseudorandomness of G Advantage is linear in N C / 2 MAC C and N C / 2 sk C
46 PART V LACK OF PRIVACY & IMPOSSIBILITIES
47 TRUTH OR DARE Ø 3 GPP claim AKA is: ID-Hiding nobody can identify client Location-hiding nobody can trace client location Untraceable nobody can link client sessions Ø Their arguments: Nobody knows UID and normally it is not used Sequence number and keys are hidden in transcripts Ø We PROVE AKA is: NOT ID-Hiding very easy to recover UID Location-hiding not really NOT Untraceable see some attacks next slide
48 DISTINGUISHING BY TERMINAL IMPERSONATION LAI st C Initial Identificatio n R (Sqn XOR AK) AMF MAC OP Get UID DrawClient Initial Identificatio n R (Sqn XOR AK) AMF MAC OP
49 DISTINGUISHING BY RESYNCHRONIZATION LAI Repeat δ times st C Initial Identificatio Get UID n Update Sqn R (Sqn XOR AK) AMF MAC OP Resynch! Clien t DrawClient Initial Identificatio n R (Sqn XOR AK) AMF MAC OP Get UID LAI Update Sqn
50 THE BIG IMPOSSIBILITY Ø Goal: make this protocol forward-private Trivial solution: just build a new protocol How do we do it without changing it too much? Ø The past kills your future In the AKA protocol the client is always one step behind the terminal/operator in state. Client corruption at time t is enough to identify client in (t 1)st transcript Generalizable attack: problem is that 3GPP do not want the client to choose anything But we can fix the protocol to get weak privacy
51 PART VI CONCLUSIONS
52 AKE PROTOCOLS Ø Authenticated Key Exchange Goal: construct a secure channel between two parties 2 steps: Handshake: derive keys for authenticated encryption Use the keys to encrypt and sign your communication Ø Examples: TLS/SSL, AKA Ø Authentication: Unilateral : only one party authenticates the keys Mutual: both parties authenticate the keys
53 THEORY VS. PRACTICE & AKA Ø AKA: symmetric-key AKE protocol with mutual authentication Ø 1001 identifiers, all more or less secret, some temporary and some not Ø 2 algorithm suites: Milenage: based on AES TUAK: based on Keccak Ø Security: Key Secrecy, Client Impersonation & some terminal impersonation security Ø Privacy: many attacks, impossible to really fix for stronger privacy notions
Part II Bellare-Rogaway Model (Active Adversaries)
Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Active Attacks Adversary may tamper, drop,
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationPart III TLS 1.3 and other Protocols
Part III TLS 1.3 and other Protocols 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Marc Fischlin BIU Winter School 2018 2 TLS 1.3 Development
More informationA Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany
A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and
More informationFelix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates The main modes, 0-RTT, and replays Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin,
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationA Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila April
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationRADIO Frequency Identification (RFID) technology [1], [2] enables wireless identification of objects
1 Destructive Privacy and Mutual Authentication in Vaudenay s RFID Model Cristian Hristea and Ferucio Laurenţiu Ţiplea Abstract With the large scale adoption of the Radio Frequency Identification (RFID)
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationSecurity Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks
An abridged version of this paper appears in the Proc. of the Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), 8-12 March 2005, Kauai Island,
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationANET: An Anonymous Networking Protocol
ANET: An Anonymous Networking Protocol Casey Marshall csm@soe.ucsc.edu May 31, 2005 Abstract This paper presents a simple, anonymizing network protocol. Its primary goal is to provide untraceability of
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION
#RSAC SESSION ID: CRYP-W04 CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION Adam Shull Recent Ph.D. Graduate Indiana University Access revocation on the cloud #RSAC sk sk Enc Pub Sym pk k
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationVerification of security protocols introduction
Verification of security protocols introduction Stéphanie Delaune CNRS & IRISA, Rennes, France Tuesday, November 14th, 2017 Cryptographic protocols everywhere! they aim at securing communications over
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationNew Privacy Issues in Mobile Telephony: Fix and Verification
New Privacy Issues in Mobile Telephony: Fix and Verification Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Kevin Redon, Nico Golde, Ravi Borgaonkar CCS 2012, Raleigh, NC October 2012 In my bag
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationProvably Secure Distance-Bounding: an Analysis of Prominent Protocols
Provably Secure Distance-Bounding: an Analysis of Prominent Protocols Marc Fischlin Cristina Onete Darmstadt University of Technology & CASED, Germany www.cryptoplexity.de Abstract. Distance-bounding protocols
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationIs Password InSecurity Inevitable?
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena,
More informationCryptography in Radio Frequency Identification and Fair Exchange Protocols
Soutenance Publique de Thèse de Doctorat Cryptography in Radio Frequency Identification and Fair Exchange Protocols Gildas Avoine EPFL, Lausanne, Switzerland December 12, 2005 www.avoine.net ÉCOLE POLYTECHNIQUE
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationMidgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA
Midgame Attacks (and their consequences) Donghoon Chang 1 and Moti Yung 2 1 IIIT-Delhi, India 2 Google Inc. & Columbia U., USA Crypto is a Technical Science As technology moves, so should crypto designs
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationProtecting TLS from Legacy Crypto
Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationA Framework for Universally Composable Diffie-Hellman Key Exchange
A Framework for Universally Composable Diffie-Hellman Key Exchange Ralf Küsters and Daniel Rausch University of Stuttgart Stuttgart, Germany Email: {ralf.kuesters, daniel.rausch}@informatik.uni-stuttgart.de
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationDefeating IMSI Catchers. Fabian van den Broek et al. CCS 2015
Defeating IMSI Catchers Fabian van den Broek et al. CCS 2015 Ren-Jay Wang CS598 - COMPUTER SECURITY IN THE PHYSICAL ckground 3GPP 3GPP 3 rd Generation Partnership Project Encompasses: GSM and related 2G
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More information